April 2017

CyberGRX Closes $20M Series B Funding to Accelerate Growth of World’s First Third-Party Cyber Risk Exchange

  |   Portfolio News, The Latest

 

Bessemer Venture Partners Leads Series B Round with Participation from Existing Investors; Funding Comes on Heels of Launch of CyberGRX Exchange

 

Business Wire | April 18, 2017 | 8am ET

 

DENVER – April 18, 2017 – CyberGRX, the provider of the most comprehensive third-party cyber risk management platform, today announced that it has raised $20 million in Series B funding led by Bessemer Venture Partners (BVP). CyberGRX’s existing investors also participated in the round, including Aetna Ventures, Allegis Capital, ClearSky, GV (formerly Google Ventures), MassMutual Ventures, Rally Ventures, TenEleven Ventures and several other strategic investors. CyberGRX will use the funding to accelerate adoption of the CyberGRX Exchange, the world’s first global third-party cyber risk management (TPCRM) exchange.

As enterprises’ digital ecosystems grow and become increasingly interconnected, the volume and complexity of security and resiliency risks from third parties, including contractors, vendors, partners and customers, only grows. According to PwC’s 2016 Global State of Information Security report, third-party contractors are the biggest source of security incidents outside of a company’s employees. At the same time, the third-party cyber risk management process is largely driven by sharing spreadsheets and trusting unvalidated assessments. Built in partnership with the chief security and risk officers from some of the world’s largest companies, including Aetna, ADP and MassMutual, the CyberGRX Exchange brings massive efficiency to this process while providing boardroom-level information about real-time cyber risk exposure across an enterprise’s entire ecosystem of third parties.

“For an enterprise today, managing cyber risk requires visibility into the extended network of vendors who store information about us,” said David Cowan, the BVP partner joining CyberGRX’s board of directors. “The CISO’s we surveyed overwhelmingly look to CyberGRX to help them identify, assess and remediate cyber risks in their extended networks.”

Launched in March 2017, the CyberGRX Exchange is designed to make it simple and cost effective for enterprises to get up-to-date, comprehensive, one-click access to their third parties’ cyber risk assessments. It is purpose-built to transform companies’ third-party cyber risk management processes from a compliance-based to a risk management-based approach. For third parties, the CyberGRX Exchange is designed to make it easy to complete one updated cyber risk assessment and share it with their many upstream partners. The CyberGRX Exchange delivers standardized assessments, actionable analytics, remediation management and real-time threat intelligence updates to enterprises and their third parties, enabling them to mitigate risk, reduce costs and manage process complexity.

“There’s a simple question at the heart of third-party cyber risk: which vendors, partners, suppliers or contractors pose the biggest threat to my organization?” said Fred Kneip, CyberGRX CEO. “The answer isn’t usually as simple because it’s constantly changing. We’ve developed the world’s first and only global third-party cyber risk exchange, which will continuously answer that question and provide actionable recommendations and the tools for companies to effectively manage that risk.  This capital from Bessemer Venture Partners and our existing investors will help us scale the business around the CyberGRX Exchange to meet growing demand from enterprises and third parties who’ve grown tired of the status quo. The relationships we have with key investors, customers and design partners puts CyberGRX in the pole position to be the new industry standard for third-party cyber risk management.”

Founded by former CISO’s and risk officers and backed by world-class investors, CyberGRX partners with some of the most trusted names and brands in cybersecurity. With this investment, David Cowan joins the CyberGRX board of directors. Also forming part of the board are: Bob Ackerman, founder and managing director at Allegis Capital; Jay Leek, managing director at ClearSky; Mark Hatfield, founder and general partner at TenEleven Ventures; Stuart McClure, CEO at Cylance and Fred Kneip, CEO at CyberGRX.   

For more information on CyberGRX or to join the CyberGRX Exchange, please visit https://www.cybergrx.com/.

About CyberGRX 

CyberGRX provides the most comprehensive third-party cyber risk management platform to cost-effectively identify, assess, mitigate and monitor an enterprise’s risk exposure across its entire partner ecosystem. Through automation and advanced analytics, the CyberGRX solution enables enterprises to collaboratively mitigate threats presented from their increasing interdependency on vendors, partners and customers. Based in Denver, CO, CyberGRX is backed by Allegis Capital, Bessemer Venture Partners, Blackstone, ClearSky, GV (formerly Google Ventures), MassMutual Ventures, Rally Ventures, TenEleven Ventures and several other strategic investors. For more information, visit www.cybergrx.com or follow @CyberGRX1 on Twitter.

 

Contact:

 

Ted Weismann

fama PR for CyberGRX

(617) 986-5009

CyberGRX@famapr.com

 

 

Read More

Security startup Synack scores $21M investment from Microsoft, HPE and Singtel

  |   Portfolio News, The Latest

 

 

 

Synack, a startup that combines software security tools with a network of white-hat hackers to help keep its customers secure, announced a $21.25 million Series C funding round today.

 

The round was led by Microsoft Ventures with participation from Hewlett Packard Enterprise and Singtel Innov8. Previous investors GGV Capital, GV (formerly Google Ventures) and Kleiner Perkins Caufield & Byers also participated. Today’s investment brings the total raised to $55 million, according to the company.

It’s hard not to notice that is an impressive combination of company and traditional venture capital attention.

Perhaps that’s because Synack takes an unusual approach to enterprise security, going on offense instead of defense, according to company CTO Mark Kuhr. He and his co-founder CEO Jay Kaplan might know a thing or two about going on offense, having previously worked for the NSA before starting Synack in 2013.

Kuhr says they decided to start the company when they saw the defensive tactics companies were using simply weren’t working — as Sony, JP Morgan Chase, OPM, Ashley Madison, Adobe, Target and many others can attest.

“Jay Kaplan and I left the NSA to come up with a different way for offensive security for the enterprise. We noticed at NSA that hackers were coming through all the defenses, taking data and putting malware on the systems,” he said.

Kuhr say his company uses a three-pronged strategy to help protect systems and IP — Command, control and action. “We couple the human element with machines. It’s a man and machine story. We bring in people when we need to,” he said.

In fact the command piece starts with a community of several hundred white-hat hackers from around the world whom the company has vetted to be sure they are ethical and pass a background check.

The control piece is their penetration testing service, which looks for vulnerabilities in an automated way. The action is the plan they come up with to help protect the system once they find a problem. For instance, if they find an open back door in the code, they would recommend that the client close it up.

Photo: Synack

Kuhr says it’s similar to the strategy they employed at the NSA where they went on offense, getting in the shoes of the adversary and trying to understand what they were doing. But he understands that most private companies don’t have access to the talent they had at the NSA. That’s why they are trying to package that kind of support and protection as a service.

They work on a flat-fee subscription model, running the automated systems and bringing in a team of expert hackers when necessary to root out vulnerabilities. While the friendly hacker approach sounds a lot like the HackerOne strategy, Kuhr says the difference is that HackerOne uses an open model and his company a private one.

The company has around 100 employees plus the network of hackers. That will probably increase this year with the new funding as they look to expand into new markets in Europe and Asia. Currently, they have 100 customers mostly in the enterprise. Kuhr says company revenue has been doubling every year and today’s investment is about keeping that momentum going.

Find more here: www.techcrunch.com

Read More

China-Based Threat Actor APT10 Ramps Up Cyber Espionage Activity

  |   Portfolio News, The Latest

 

 Customers of managed security service providers, website of U.S. trade lobby group targeted in separate campaigns
Dark Reading | Jai Vijayan | April 6, 2017

An unknown number of managed service providers and their customers are victims of a massive, global cyber espionage campaign by a China-based threat actor that this week was also fingered in another attack against a U.S. group involved in lobbying around foreign trade policy.

News of the campaigns coincides with Chinese President Xi Jinping’s first official visit to the U.S. to meet with President Trump. It suggests that cyber-enabled espionage out of China continues to be an issue, despite a September 2015 agreement between the U.S and Chinese governments not to support or engage in such activities.

“Even as IP-focused cyber-espionage has reduced since the Xi Jinping-Obama agreement, big business will continue to be targeted, if nothing else than for the influence they hold over governments,” warns Hardik Modi, vice president of threat research at Fidelis Cybersecurity.

Fidelis was one of the organizations that this week disclosed new cyber espionage activity by APT10, a well-known China-based advanced threat group that is also known as Stone Panda. The other warning about the APT10 group’s resurgent activity, after a period of relative quiet, came from PwC UK and BAE Systems.

‘TradeSecret’ campaign against National Foreign Trade Council

The Fidelis report involves “TradeSecret,” the company’s name for a targeted and strategic campaign directed at the website of the National Foreign Trade Council (NFTC), a trade lobby group representing some of America’s largest companies.

According to Fidelis, its security researchers in February discovered a reconnaissance tool called “Scanbox,” previously associated with China government-sponsored threat actors, embedded on specific pages of the NFTC site. Among the infected page were those that NFTC board members used to register for meetings.

The malware was configured to infect the systems of anyone that visited the pages and to collect credential and session information and also system-level data that could later be used in phishing attacks or for exploiting specific vulnerabilities. It’s unclear how the APT10 group initially breached the site in order to embed Scanbox on it.

“Scanbox is a robust framework that can include a variety of reconnaissance modules,” Modi says. It can, for instance, be used to determine the software running on a target system, the type and version of antivirus on it, and other details. “In some instances, it has been known to serve up a JavaScript keylogger that can be used to grab credentials that the target enters on the page,” he says.

NFTC members have been major contributors to the dialogue around the new U.S. trade policy framework being developed by the Trump Administration. It is highly likely the APT10 group will use data that Scanbox collected to craft targeted attacks against them.

‘Cloud Hopper’ campaign against MSPs

Meanwhile, in a separate advisory, PwC and BAE Systems warned about a systematic and widespread APT10 campaign they have dubbed “Cloud Hopper” to steal data from an unknown, but most likely large, number of organizations.

What makes the campaign scary and highly scalable, according to the two organizations, is the APT10 group’s tactic to target companies via their managed service providers, rather than directly.

 

Multiple MSPs have been hit since late 2016 and their infrastructure has been used to gain access to the networks of their customers. Typical attacks have involved APT10 gaining access to a MSP network, looking for customers that match its interests, and then breaking into their networks using the MSP’s legitimate access.

The China-based group has then been extracting data from the victim’s network, putting the data into compressed files, sending it back to the MSP network and from there to servers controlled by APT10.

The investigations by BAE and PwC show that the campaign is focused on extracting intellectual property and other sensitive data from organizations. “APT10 is known to have exfiltrated a high volume of data from multiple victims, exploiting compromised MSP networks, and those of their customers, to stealthily move this data around the world,” the two companies said in their report.

The Cloud Hopper campaign is a classic example of the evolution of third-party cyber risk, says Fred Kneip, CEO, CyberGRX. It takes advantage of the implicit trust that many organizations place on their cloud service providers and other third parties that they do business with.

“Although attacks via third parties are the second biggest source of security incidents, most organizations do not have a consistent process to help them understand which partners pose the most risk to their organization,” Kneip says. Organizations need to truly understand their residual risk from each third party, and perform their own validation of key controls as opposed to relying on self-assessments, he says.

“Customers need to ask relevant questions of their provider as to how they achieve customer segmentation and segregation,” advises Jim Reavis, executive director of the Cloud Security Alliance. “Customers also need to understand their own responsibilities and in many cases it is their job to add data protection controls like encryption or to use the provider’s logging capabilities to monitor access to their own cloud instances.”

Meanwhile, campaigns such as Cloud Hopper also highlight the need for cloud service providers to perform segmentation at multiple levels, including networks, users, applications and data, to mitigate the fallout from a data breach, Reavis says. “No company can prevent all breaches, but systems should be designed so that a single breach impacts a maximum of one customer.”

John Pescatore, director of emerging threats at the SANS Institute said that attacks targeting cloud service providers are nothing new. Edward Snowden’s leaks showed the US government was targeting IT service providers as far back as 2013. And attacks on Google and others in subsequent years have shown that Chinese threat actors have been doing the same for some time now, he says.

“The bigger suppliers are pretty good at protecting themselves, but they are rarely the low cost providers,” Pescatore says.  “All too often obtaining [specific security] certifications are all the lower cost providers have to show in order to win competitions,” he says. “There has been talk in the IT service provider industry association of raising the bar, like has been done in the UK, but not much movement forward.”

Read More

Is this the new normal? Bay Area startup fundings hit 6-year low in Q1

  |   Allegis News

 

Silicon Valley Business Journal | Cromwell Schubarth | April 5, 2017

 

Venture industry leaders say their world continued to “normalize” in the first quarter of this year as the gap between the haves and have-nots of the startup world widened.

But the kind of normal reported Wednesday by PitchBook Data and the National Venture Capital Association might not seem like a great thing to a lot of founders.

Funding deals in the Bay Area in the first three months of this year dropped to their lowest level since the end of 2010, PitchBook and the NVCA said.

That is a little more than six years ago, when many of today’s “unicorns” like Uber, Airbnb and Palantir Technologies had yet to raise a round at a private valuation of $1 billion or more. In fact, 15 of the 50 Bay Area venture-backed companies valued at the unicorn level today were founded in 2010 or later.

There were 386 deals done in the Silicon Valley and San Francisco regions between January and March, a drop of 28 percent from a year ago. That’s down by about 31 percent from the number of fundings done in the recent peak quarter of Q1 in 2015.

The $6.7 billion invested, however, remains in the $5 billion to $10 billion range it has hovered around since early in 2014. That’s not counting the outlier second quarter of last year when local companies raised more than $12.3 billion, fueled largely by a mega-funding of Uber.

“It’s harder for things to get funded and the bar is higher than it was a little while ago,” Bob Ackerman of Allegis Capital said in an interview. “In parallel to that there is a flight to quality. Larger checks are going into those companies where there is a proven use case and demonstrated traction.”

Bobby Franklin, CEO of the venture association, said VCs have plenty to invest. After raising a 10-year high of $41 billion in new capital last year, there was another $7.9 billion raised in the first quarter.

“The deceleration of investment activity that we experienced at the end of 2016 continued in the first quarter, signifying that we are in fact returning to a more rational level of investment activity more in line with the annual growth rate of the industry over the last ten years,” Franklin said in the report.

“After seeing large pools of capital raised in recent quarters, venture investors will continue to have dry powder to deploy to the entrepreneurial ecosystem, albeit with a more disciplined approach,” he said. “Combined with a positive outlook for a strengthening IPO environment for venture-backed companies, there is much to be optimistic about in 2017.”

There were 47 exits by IPO or M&A in the Bay Area in the first quarter, led by the $3.7 billion IPO eve acquisition of San Francisco-based AppDynamics by Cisco Systems. That’s down two from the fourth quarter of last year and is the lowest number recorded since the banking crisis years of 2008 and 2009.

The PitchBook report, however, sees promising signs of more exits in the future.

“The lack of available late-stage funding coupled with the initial success of the Snap and MuleSoft IPOs could result in more venture-backed companies following suit,” it said.

MuleSoft was the first Bay Area tech IPO in about six months when it went public last month. Its stock has remained up around 40 percent since. Another San Francisco company, Okta, is expected to make its Wall Street debut on Friday as the region’s second IPO for 2017.

Allegis Capital’s Ackerman agrees that more companies are likely to follow them this year.

“You look at the public markets today and you have to think they are pretty fully valued,” he said. “What tends to happen when you have a more mature public market is investors start looking for growth and that tends to favor the IPO market.”

Find Article Here: www.bizjournals.com

Read More

Bridging the gap between government and Silicon Valley

  |   Uncategorized

 

DataTribe pairs up, invests in experts from public, private industry

 

Third Certainty | Rebecca Theim | April 3, 2017

 

If you know where to look, there is a rich vein of venture capital looking to back innovative cybersecurity technologies.

One hot spot is the “Cyber Corridor” around Washington, D.C., where venture capitalists are looking to combine Silicon Valley startup know-how with cybersecurity advances coming out of the country’s military industrial complex.

Bob Ackerman, Allegis Capital founder and DataTribe co-founder

“When you hear the term ‘government innovation,’ it sounds like an oxymoron, except when you’re talking about cybersecurity capabilities and data analytics,” says Bob Ackerman, founder of Allegis Capital. “In those arenas, government is five to seven years ahead of private industry.”

Allegis is a backer of DataTribe, which seeks out government experts with special security know-how and pairs them with mentors from the defense and intelligence communities, as well as from the world of Silicon Valley’s venture capitalists.

Finding a niche

Rather than taking the shotgun approach of traditional start-up incubators, Ackerman said DataTribe looks “down the road and anticipates market needs and identifies where appropriate and relevant technology has been developed. We’ve created a watering hole for the deep technology thinkers.”

Ackerman co-founded DataTribe with former CIA information technology officer Steve Witt, founder and former CEO of Onyara, a data analytics firm that was acquired by Hortonworks in 2015, and Mike Janke, a former Navy SEAL and founder and former CEO of secure communications service Silent Circle.

DataTribe will invest between $1 million and $1.5 million in seed money and another $600,000 in operating support in the startups it backs, and up to an additional $1.5 million in later-stage, Series A funding. The average seed round capital is usually about $225,000, and a Silicon Valley investment is, on average, about $1 million, Ackerman says.

DataTribe’s portfolio includes:

Dragos, which was created by three former U.S. intelligence analysts to develop software to protect critical, privately owned infrastructure, such as the electric grid. Dragos’ CEO was part of the response team to the 2016 attack on Ukraine’s power centers—the first confirmed hack to disable a power grid.

Enveil, which uses homomorphic encryption that allows the processing of data without ever decrypting it. It was the runner-up among the 10 companies that presented at RSA’s 2017 Innovation Sandbox in February. Enveil was launched by a team of doctorate-level mathematicians and computer scientists from the U.S intelligence community.

Kesala, which draws on recent U.S intelligence community advancements to provide VPN-level security through its cloud security and data analytics software.

“There’s some really great stuff in government labs, but there’s no commercial infrastructure around it,” Ackerman says, “If we can find a way to bridge government innovation with Silicon Valley, we have a business.”

Another player active in the Cyber Corrider is MACH37, a Herndon, Virginia-based cybersecurity accelerator.

Trial by fire

Twice annually, MACH37 competitively selects eight start-ups willing to participate in an intense 14-week program in which founders are mentored and coached into creating a sustainable company. They interact with domain experts, successful security entrepreneurs, buyers and cybersecurity investors.

The start-ups also receive a $50,000 investment and access to mentors throughout the life of their companies.

Rick Gordon, MACH37 managing partner

“We help them define what the minimum viable product needs to be, and what the backlog needs to be,” says MACH37 managing partner Rick Gordon. This is done before the focus shifts to the business model, pricing, go-to-market strategy, and developing a compelling proposition for seed investors.

MACH37 has graduated 40 start-ups in its three-year existence.

These start-ups include:

Virgil Security, which develops cryptographic software for developers. It raised $4 million in October, led by KEC Ventures, founded by Jeff Citron, founder of internet telephony company Vonage and other technology companies.

Atomicorp, a cloud-based server security software developer, which has 2,000 customers in sectors including universities, consumer products, medical devices and the U.S. government. It raised $1 million in seed funding late last year, led by Washington, D.C.-based VC Blu Ventures.

Cyber Algorithms, which develops behavioral analytics that dramatically reduce how long it takes to detect cyber attacks. It was acquired in December by enterprise password management provider Thycotic, whose 7,500-client roster includes Chevron, Gap, Deloitte and Adobe.

Both DataTribe and MACH37 are working diligently to overcome geographic and cultural hurdles that tend to separate the rigid world of government contracting from the fast-moving technology industry.

“There’s this incredible disconnect between this intellectual capital base and the people who know how to scale a commercial software business,” Gordon says. “We still have to work very hard to get institutional venture capital to invest. You have to be involved, and it’s not easy to do from Palo Alto.”

Find article here: www.thirdcertainty.com

Read More